Skip to main content

RFID-enabled credit cards - a security liability?

Regular readers of this column will recall my occasional wibbles about the insecurity of RFID-enabled credit card technology such as MasterCard PayPass.

To recap, PayPass is an RFID (radio frequency ID) plastic card that operates in a similar fashion to TfL's Oystercard - it's a smart card whose ID can be read at a range of up to a metre, depending on the local radio wave environment and power of the interrogative signal.

Now a researcher/comedian called Tom Heydt-Benjamin has appeared on US TV posing as a mock psychic, and `reading' the contents of a sealed envelope containing - you guessed - a PayPass credit card.

In his act, Heydt-Benjamin taps the sealed envelope against a black plastic box connected to his computer. Within moments, the screen shows a garbled string of characters that include the name of the cardholder, plus the card details, including the expiry date.

Not unexpectedly, Heydt-Benjamin's demonstration has caused something of a stir in US banking circles, with MasterCard being forced to move into positive PR mode, pointing out that its card details are encrypted using a 128-bit encryption system when interrogated.

So how did Heydt-Benjamin decrypt the card details?

That's actually irrelevant. What is relevant is that he did do it, and that the same encryption system is also used by Amex and most Blink Visa cards using RFID technology.

Heydt-Benjamin claims that, in tests on around 20 cards from all three card issuers, he and his team were able to view the card details using $150-worth of electronics from sources on the Net and, of course, good old Radio Shack.

As one of the research team behind Heydt-Benjamin said to one reporter: "Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?"

Fortunately for Brits, Paypass is only on trial by the RBS Group in the UK, so let's hope it dies a natural death - like Mondex...